From 7a906196ede31f747344871c6df8dc7ddb1de61e Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Wed, 30 Oct 2024 15:30:46 +0100 Subject: [PATCH] golangci-lint: enable G204, add #nosec comments instead There's only 3 locations where it's hit, so putting #gosec ignore comments in those locations. Signed-off-by: Sebastiaan van Stijn (cherry picked from commit 020f3a7ad961650e312db4c013b549c5cc45e93b) Signed-off-by: Sebastiaan van Stijn --- .golangci.yml | 5 ----- cli-plugins/manager/candidate.go | 2 +- cli-plugins/manager/manager.go | 3 ++- cli-plugins/manager/plugin.go | 2 +- 4 files changed, 4 insertions(+), 8 deletions(-) diff --git a/.golangci.yml b/.golangci.yml index a00093c80d..920bdd3965 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -146,11 +146,6 @@ issues: - text: "G104" linters: - gosec - # Looks like the match in "EXC0007" above doesn't catch this one - # TODO: consider upstreaming this to golangci-lint's default exclusion rules - - text: "G204: Subprocess launched with a potential tainted input or cmd arguments" - linters: - - gosec # Looks like the match in "EXC0009" above doesn't catch this one # TODO: consider upstreaming this to golangci-lint's default exclusion rules - text: "G306: Expect WriteFile permissions to be 0600 or less" diff --git a/cli-plugins/manager/candidate.go b/cli-plugins/manager/candidate.go index 83e5a05256..e65ac1a54f 100644 --- a/cli-plugins/manager/candidate.go +++ b/cli-plugins/manager/candidate.go @@ -17,5 +17,5 @@ func (c *candidate) Path() string { } func (c *candidate) Metadata() ([]byte, error) { - return exec.Command(c.path, MetadataSubcommandName).Output() + return exec.Command(c.path, MetadataSubcommandName).Output() // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments" } diff --git a/cli-plugins/manager/manager.go b/cli-plugins/manager/manager.go index 9886830240..f9229c5257 100644 --- a/cli-plugins/manager/manager.go +++ b/cli-plugins/manager/manager.go @@ -240,7 +240,8 @@ func PluginRunCommand(dockerCli command.Cli, name string, rootcmd *cobra.Command // TODO: why are we not returning plugin.Err? return nil, errPluginNotFound(name) } - cmd := exec.Command(plugin.Path, args...) + cmd := exec.Command(plugin.Path, args...) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments" + // Using dockerCli.{In,Out,Err}() here results in a hang until something is input. // See: - https://github.com/golang/go/issues/10338 // - https://github.com/golang/go/commit/d000e8742a173aa0659584aa01b7ba2834ba28ab diff --git a/cli-plugins/manager/plugin.go b/cli-plugins/manager/plugin.go index 877241e0b8..5576ef4301 100644 --- a/cli-plugins/manager/plugin.go +++ b/cli-plugins/manager/plugin.go @@ -112,7 +112,7 @@ func (p *Plugin) RunHook(ctx context.Context, hookData HookPluginData) ([]byte, return nil, wrapAsPluginError(err, "failed to marshall hook data") } - pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) + pCmd := exec.CommandContext(ctx, p.Path, p.Name, HookSubcommandName, string(hDataBytes)) // #nosec G204 -- ignore "Subprocess launched with a potential tainted input or cmd arguments" pCmd.Env = os.Environ() pCmd.Env = append(pCmd.Env, ReexecEnvvar+"="+os.Args[0]) hookCmdOutput, err := pCmd.Output()